Revisiting trust

Broadly, I’m wondering if anyone has any opinions on trust, verification, identity, and etc; regarding policies in the store in general, or in specifics.

I think recently, here and outside in the broader world, the in the room these days is always AI. From the topic being able to crash or stimulate an economy, to the legal and ethical dilemas it creates. Seeing bots on these forums transition to basic link spam; to suddenly being able to invent entire fake companies, websites, and in some cases snaps overnight. It’s not just here, and shouldn’t be taken as a flaw in our community, because I see it elsewhere, increasingly so. I’d hate for this to be seen as a taboo subject. It’s the reality of the modern world, and to us, just another bug to be patched .

To me, the current system for verified accounts needs reworking. Since verified and star developer accounts now implicitly create a two tier system for snap publication, the status around having those tiers suddenly increases. (Context: snaps are now manually reviewed for “untrusted” accounts every revision, including their metadata, with recent policy changes). We need to be reasonable in how these are granted out, but also firm in that trust is earned based on various distinctions that might be hard to quantify, but ultimately exist.

Why would people trust me? Well, beyond being about a while; Canonical has my IP address that’s been static for 3 years, whilst the online Safety Act has recently got me both using a VPN more whilst my phone camera (Pixel 10 pro btw!) has me considering using the Gemini pro trial for coding a lot more. If I pull anything dodgy, you guys are probably gonna send someone to knock on my door, that’s a strong guarantee by itself. It’s also not impossible one day I might say hi in person! Web of Trust, Linux style anyone?

To me, being trusted in part assumes that there’s an earned responsibility, given by accountability, because there’s clear consequence to action. That can’t be said to any random company that gets verified by purely having a domain name and claiming to be registered.

I know I can’t go around demanding change, and that practicality ultimately drives approach more than anything else. But to the community at large; please share your tangeants on anything and everything related, I feel like there’s room for discussions well beyond my own here.

Snapcraft is a thriving ecosystem, and ultimately; this topic leeches on everyones great contributions to benefit maliciousness. It’s worth being direct on opinion because genuine improvement is worth it.

Also, let’s be clear, I’d be keen on seeing trust be made easier to be earned too. I know AI can do the video deepfakes, but hey, sell them Ubuntu Pro or a Brand Store whilst you get to know them.

I again express my concerns over the impersonating cursor AI editor snap (A simple, unofficial Snap to install and apply a custom cursor theme on Linux desktops.). I am notified that the store is dealing with it, however the time required for the store to take mitigation actions doesn’t look good to me IMHO.

I think what irritates me with that snap, beyond the fact that it’s probably AI driven spam, is that even if it wasn’t, it’s completely defunct and should be removed on grounds of being unusable, therefore detrimental to both our users and ultimately the store and community itself.

I took a look at my forum history, and see you posted this Feature request: Allow user to flag snaps as out-of-date and I countered with another one on the same point, years and years ago. The problem only grows whilst ignored.

Recently I had to make a mature decision to retire one of my own snaps as I wasn’t achieving good enough standards with support, and couldn’t commit to maintaining it, and would rather put that energy elsewhere. It feels bad, but it’s not unusual to retire packages in any Apt or RPM repo, it’s a fact of life. So that snap then looks bad on two completely separate grounds IMO and should be uncontroversial in any other app store environment. I’d really encourage we revisit that thread in the future, maybe we could provide some manpower in the future to push it forward.